Privacy advocates have long called for a federal privacy law and it’s coming…in the mean time, experts say complying with the CCPA will lay the groundwork for future compliance with a federal law.

Like revelers packing Times Square on New Year’s Eve waiting for the ball to drop, a close teeming crowd of organizations spent the waning moments of 2019 – with both trepidation and excitement – ringing in the California Consumer Privacy Act (CCPA), one of the strongest state laws safeguarding privacy and whose underlying tenets might eventually serve as the basis of federal privacy legislation. 

Although technically the CCPA went into effect New Year’s Day, in reality regulators won’t begin enforcing the law for another six months, which means for many enterprises struggling to comply, July will be a very hot month indeed. 

“CCPA will impact any business above a certain size that handles personal data relating to a citizen of the state of California irrespective of where that enterprise may be located,” says Steve Durbin, managing director of the Information Security Forum (ISF).   

Facing the prospect that the CCPA will likely embolden other states to codify privacy protections as well. “We’ll have to wait and see but in much the same way that GDPR has far reaching effects outside the EU,” he says. “I would expect many other states to take action after a period of wait and see to determine the impact of CCPA.” A handful, including New York and Massachusetts already have crafted their takes. 

States weigh in on security 
 
With the focus trained on national legislation to safeguard data and privacy, legislative activity at the state level often gets overlooked, though it has flourished in recent years. Many states either passed, rejected or have pending bills primarily focused on compelling businesses to inform customers about how their data is used. Here is a quick rundown of the major wins and losses from across the United States – at the very least these bills give organizations a peek at what’s on lawmakers’ minds.  Let’s take a look….

“We are still nowhere near a consistent approach to privacy and personal information usage in the United States and I do not anticipate this changing with a federal regulation any time soon,” says Durbin, though a proliferation of state laws will likely nudge Congress toward acting on the national level. 

He points to “a very real need for a federal law to avoid states introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business.” 

Indeed, the notion of a national law has gotten a boost from tech giants like Apple, Google and Facebook. “Tech CEOs have been very vocal in their support,” says Baffle cofounder and CEO Ameesh Divatia. 

Apple CEO Tim Cook, for example, has given a federal privacy law a full-throated endorsement, telling attendees at the 2018 International Conference of Data Protection and Privacy Commissioners, that his company is “in full support of a comprehensive federal privacy law in the United States.” 

Lawmakers, too, have started to push in earnest for a national law. “Over the last year, I have unveiled a range of bipartisan bills to put consumers back in control, in the hope that these proposals would be incorporated into comprehensive privacy legislation my colleagues have been working on,” Sen. Mark Warner, D-Va., noted in a statement after the CCPA took effect January 1. “These bipartisan bills range from legislation that would prohibit manipulative and deceptive design practices often used to trick consumers into unfair and invasive terms of service; legislation that would provide consumers full transparency on the types of data being collected, its uses, and the value of that data to service-providers; and legislation that, building on CCPA and GDPR, would make user data portable to competing providers – while also making dominant providers support interoperability and consumer use of third-party ‘privacy managers.’” 

Contending the enactment of the comprehensive California law casts a harsh spotlight on the “failure of the federal government to lead on privacy,” Warner said, “Congress can no longer sit idly by in this data privacy debate.” 

Sen. Ron Wyden, D-Ore., a privacy advocate, has no intention of remaing idle as concerns over and the call for privacy legislation mount. Aiming to protect data and punish corporate executives who abuse it, Wyden last fall introduced The Mind Your Own Business Act. 

Billed by the senator as going further than the GDPR, the bill would let consumers control how their data is used – in a single click – and puts the authority for enforcing the legislation on the shoulders of the Federal Trade Commission (FTC). 

The contents of the proposed legislation reflects feedback from that year of listening, strengthening “Do Not Track,” extending lifeline protections for services aimed at low-income users, giving state attorneys general the authority to enforce the bill’s regulations, creating right of action protections for advocacy and protection groups, and levying tax penalties on organizations when their CEOs lie about privacy safeguards. 

Under the terms of the legislation, the FTC would have the authority to create minimum privacy and cybersecurity standards, impose steep fines – as much as four percent of annual revenue – on companies for a first offense as well as 10-20-year criminal sentences on executives who deliberately lie to the commission and create the Do Not Track system that consumers can use to stop organizations from tracking them, selling or sharing their information or using it to target ads. The agency also would be able to review the personal information companies have used and how it has been shared. 

While Wyden says the Mind Your Own Business Act is not meant to supersede the CCPA and other state laws, any federal legislation will likely do just that. “Is there a chance of the CCPA being overwritten by a federal law? Unfortunately, yes,” says Robert Cruz, senior director of information governance at Smarsh, explaining that the patchwork of state laws, “each with unique provisions around rights of minors, opt out requirements, biometric data, social media, etc.” could “create a very complex quilt of regulations that firms with clients in multiple states would have to comply with, which is why many organizations such as Facebook and Google are advocating for a consistent set of federal rules.”  

Cruz believes the resulting legislation would be “based upon a set of common denominators across states” that he fears “would very likely be weaker than CCPA.” 

As Durbin contends, the CCPA is not at stringent as GDPR, but it does include “a few provisions where it has been further developed, such as in the areas of cybersecurity and protection of information from minors,” says Cruz. “CCPA is also attempting to define personal information broadly, including making devices associated with specific individuals subject to” its provisions and offers an apparently unique 12-month reach back provision “where firms’ obligations in response to requests will reach back up to a period of 12 months,” making them “potentially responsible for information they may be using inappropriately at this very minute.” 

Comply now with the future  
in mind 

The shortcomings and vagaries of the California law – such as the failure to define “reasonable” privacy protection measures that companies must implement – as well as the absence of a regulatory framework for enforcement in the U.S. similar to the one found in the EU have complicated the compliance picture. Smart organizations, though, are tackling those issues and using CCPA the pre-game for compliance with a federal law.   

Legislators crafted the California law around a set of four rights – the right to notice; right to know; the right to opt out; and the right to delete – that organizations can use as guideposts for compliance beyond the state act itself.  

Take a data centric approach. 

“Am I protecting a server or data on a server,” says Myke Lyons, CISO at Collibri. “If server goes boom it might cause a little heartache,” but losing or compromising data could be disastrous.

•  Categorize it. “You have to figure out if it structured or unstructured data and begin to bag it,” says Divatia.
•  Set guidelines for data use. “Businesses will also need an effective communication strategy to outline when customer information may be sold or disclosed for business-related purposes,” says Heather Paunet, vice president of product management at Untangle. “Transparency in data collection will be a foundational pillar for businesses looking to maintain a trusting relationship with their customers.” 

Focus on privacy policy, not compliance.  

“When we did GDPR we didn’t treat it like a project, treated it as our privacy policy – a platform across initiatives,” says Lyons, who explains the company  turned planks like the right to be forgotten into general procedures.  

Expand protections to all customers and partners, not just those in California. 

“In terms of accepting the CCPA across the U.S., we believe it is a great move from the industry to take a rigorous standard and apply it uniformly, in contrast to taking a lower standard and then attempt to ‘super charge’ it for more rigorous jurisdictions,” Cruz says. “We have heard some firms subject to GDPR take a similar approach: build practices, policies, and technologies around the more rigorous standard and relax in specific scenarios if and when necessary.” 

Insist third parties adhere to a predetermined privacy policy. 

“Vendor management is often the weakest leak in the chain,” says Carlo Di Florio, clobal chief services officer, ACA Compliance Group. “Only work with vendor that complies with your” policies, he says. 

Raise user awareness.  

“Educating employees about CCPA compliance will be key for businesses during this next phase of data privacy regulations.  As the handling of customer data becomes more regulated, businesses will need to learn about and put in place, provisions to adhere to these regulations,” says Paunet.   

Regulated firms “will have a head start in meeting requirements, in that they are already accustomed to actively managing the retention of data, and thus will start with a better understanding of where personal data lives in their organizations and have had the opportunity to implement governance policies to ensure that sensitive data can be brought under control,” says Cruz. Their “biggest change will likely be to create additional pressure to finally delete data that is redundant or outdated and that has outlived its business purpose. That has been a challenge for almost all organizations.” 

Di Florio explains that financial firms under the guidance of the SEC already have stringent requirements around governance, audits, data loss prevention and the like to follow. “Privacy and information security have become key priorities for SEC in last few years” in an attempt to help companies protect investments and developing operating resilience,” he says. 

Those not already under strict regulations might have a tougher road. “For non-regulated firms that have not been focused on proactive information governance controls, a larger amount of work lies ahead,” Cruz explains. 

Federal law: not if, when 

Federal law could debut by the end of the year, spurred by on by an election year, says Divatia, explaining that privacy has bipartisan support. “With the election coming up, [privacy could] become a campaign promise.” 

But the election could have the opposite effect as well. “In a highly partisan legislature and an election year, don’t expect to see national-level data privacy legislation passed in the United States,” Rick Holland, CISO, vice president of strategy at Digital Shadows. “More state-level privacy legislation, like the CCPA, is the most likely scenario.” 

And who’s in the White House makes a difference, too. “The likelihood of such federal rules under the current administration is low,” Cruz says.